1. Field of the Invention
The present invention relates to a security technology in computer systems.
2. Related Background Art
Nowadays, as a transmission method that realizes a storage area network (SAN), Fibre Channel-Storage Area Network (FC-SAN) that uses fibre channel has become the main stream. Fibre channel is highly reliable and its transmission performance is very high because it uses optical medium.
Recently, Ethernet®, which used to fall behind fibre channel in transfer performance, has achieved much higher speed with advances in the network technology, and is increasingly adopted to SAN while being traded on its unlimited connection distance, low cost and mutual connectivity. To distinguish from FC-SAN, SAN using Ethernet ® is called IP-SAN. Internet SCSI (iSCSI) is said to be the most influential means to realize the IP-SAN.
Various devices that are connected to a network are each provided with an identifier that indicates its own identify. For example, in an IP network, MAC addresses and IP addresses are used as identifiers, and in a fibre channel network, port IDs and World Wide Names (WWNs) are used as identifiers. Also, there are cases where a management computer that manages identifies and assists communications between devices (hereafter referred to as a “management server”) is provided in a network. For example, in an IP network, a domain name system (DNS) server manages host names and their relation with IP addresses; and in a fibre channel system, a simple name server (SNS) manages WWNs and the like.
In this manner, various devices detect other devices on the network and mutually communicate through communications with a management server. Hereafter, a processing that is performed by a device to detect other devices on the network is called a discovery processing.
Three discovery processings (i.e., static configuration, SendTargets, and zero-configuration) in iSCSI that have been proposed are briefly discussed below.
(1) Static Configuration
In a static configuration, identifiers of target storage devices (IP addresses, TCP port numbers and target device names) are allocated in advance to an initiator. Therefore, the initiator can recognize the storage devices without requiring a discovery processing. It is noted that, among devices, a device that independently issues commands to search for other devices is called an initiator, and devices that respond to the commands issued by the initiator or devices which communicate with the initiator are called targets.
(2) SendTargets
SendTargets are used when an initiator already knows IP addresses of targets and TCP port numbers that are used in TCP protocol.
There are mainly two request types in SendTargets. One of them is a type that requests identification information of all devices that are controlled by each target (hereafter called an “all-device request”), and the other is a type that requests identification information of only designated devices (hereafter called a “device designation request”). Hereunder, a flow of a discovery processing by SendTargets is described with reference to FIG. 6.
First, an initiator issues a discovery request to a target (step 605).
Upon receiving the discovery request, the target reads and determines its request type (step 610).
When the request type is an all-device request, the target includes identification information of all devices that are controlled by the target in a response command, and transmits the response command to the initiator (step 615).
When the request type is a device-designation request, the target that has received the request includes identification information of only the designated devices in a response command, and returns the same to the initiator (step 620).
Upon receiving the response command, the initiator analyzes its content to thereby obtain the identification information of the devices that are controlled by the target (step 625), and starts a login processing, using the identification information, with the devices that are controlled by the target as new targets (step 630). When a login is accepted, an I/O processing is started (step 635).
(3) Zero-Configuration
Zero-configuration is a discovery method that uses a management server (that may be accompanied by an agent).
There are mainly two discovery methods in zero-configuration.
One of them is a method that uses Service Locator Protocol (SLP) that is already used in an IP network. To use SLP, a dedicated program called an agent needs to be introduced into an initiator and targets. Also, by placing a directory agent on a network, the management unit can be expanded. When a directory agent does not exist, the agents of the initiator and targets mutually exchange management information. When a directory agent exists, the agent of the initiator searches for the targets through the directory agent.
The other is a method that uses iSNS (Internet Storage Name Service). In iSNS, Simple Network Management Protocol (SNMP) for registering device information in a management server, i.e., iSNSP needs to be installed in each of the devices. Then, at the time when device information is registered in the management server, the management server notifies devices in the management unit (discovery domain) of the device information such that other devices can discover the devices whose device information are registered.
An effective device management in a storage network becomes possible through the use of an appropriate one of the discovery methods described above according to particular purposes and the size of the storage network.
To ensure the security in a storage system having a plurality of storage devices, the following method is conventionally implemented. The storage system retains a table that associates the storage system and identifiers of computers, which are required for the computers to login the storage system. The storage system compares an identifier included in a frame that is sent from a computer with the identifiers registered in the table, and continues processings according to instructions of the frame when there is a match; but returns a frame to refuse the received frame. In this manner, illegal accesses from unauthorized computers can be prevented.
The security of SAN can be provided by the following method. A disk control unit retains a record including configuration data that identifies storage devices accessed by each of authorized network devices. By using the record, the disk control unit judges whether a device having no data access privileges is a device that is authorized to have an access, and allows the access if the device is authorized, but denies the access if the device is not authorized.
According to the conventional technologies described above, computers can readily login a storage system with port IDs and WWNs in FC-SAN. This is because only computers that have already logged in the network are subject to the processing for preventing illegal accesses. Since FC-SAN is a somewhat closed network, and has a few illegal accesses, it was sufficient to conduct the processing to prevent illegal accesses against computers that had already logged in the network. However, for IP-SAN that has a broad range of connections, there are a greater number of illegal accesses. Accordingly, it is not enough for IP-SAN to cover only computers that have logged in the network. If the conventional technology is directly applied to IP-SAN without any changes, there is an increased threat in attacks such as denial of service (DoS) attacks to the storage system. It is noted that if the former conventional technology described above is mapped on iSCSI, identifiers of computers and storage devices would have iSCSI names.